The webpage used in the exploit opens the game on a victim's computer and instructs it to load a malicious "MOD" file used to customize game settings and features, according to a document the researchers published Friday. Using some nonstandard behavior of a programming interface version found only in older versions of Windows, the MOD file is able to upload a malicious batch file that will be executed the next time the computer is restarted. The technique is successful because it overrides a whitelist that's supposed to restrict the sites that are permitted to load the Play4Free game.

"This is a good example to show people that even [if] games adopt several protections, odd, nonstandard behaviours in the operating system in use will allow attackers to bypass all the security measures adopted by the games," Donato Ferrante, a researcher with Malta-based ReVuln (@revuln) told Ars. "An example is given by the security check on the website hosting the game, which is checked against a whitelist and can be bypassed by relying on a nonstandard behavior of a Windows API (specifically for Windows OS before Windows Vista)."

Along with fellow researcher Luigi Auriemma, Ferrante has unearthed two other vulnerabilities that demonstrate the potential threats that can arise when browsing the Web on a computer that has online game software installed. Earlier this week, they detailed a bug in EA's Origin online game platform that allows attackers to remotely execute malicious code on players' computers. In October, they unveiled a similar attack on Steam, a competing online platform from Valve.

A spokesman for EA told Ars that the company is investigating the report and didn't have an immediate comment for this post.

The ReVuln researchers identified the root cause of the vulnerability as the way Play4Free invokes an update mechanism. It allows attackers to use the CreateProcessW Windows API to inject a series of variables into commands that allows them to override the whitelist protection. The end result is the ability to upload a batch file to the Windows startup folder of vulnerable machines. The file is automatically executed the next time the computer is rebooted, and depending on its contents, it can install a host of malicious software.

19 Reader Comments

Seems like web browsers need to, at a minimum, always prompt when using a third-party application to open a URI (and also customize which URIs third-party applications can actually open).

I know, personally, that I don't want Steam/Origin (not that I'd touch it)/BFP4F (nor that)/any other game to randomly open because a website says so. At least in the case of Steam, IIRC, they never intended it to be used that way anyways (it was targeted towards local shortcuts on the machine).

Seems like web browsers need to, at a minimum, always prompt when using a third-party application to open a URI (and also customize which URIs third-party applications can actually open).

I know, personally, that I don't want Steam/Origin (not that I'd touch it)/BFP4F (nor that)/any other game to randomly open because a website says so. At least in the case of Steam, IIRC, they never intended it to be used that way anyways (it was targeted towards local shortcuts on the machine).

Mine have always prompted unless I've checked the box that says "Don't prompt me again." The prompt is specific to each program. I could have it auto launch steam links but not auto launch origin links.

Not a big deal, the people that play the game probably already downloaded plenty of torrented and pirated shit already.

Or they have outdated AV, unpatched systems, don't care anyway, whatever. In other words, this is like pointing out the leper has lost an arm. Nobody should be shocked anyway.

This is for default XP machines, default to me means XP SP0. Even if its on SP3, big deal, there's already a handful of exploits for those machines anyway. Just throwing another bone on the pile of skulls won't really hurt anything.

TF2's Message of the Day can similarly be used to take over computers. Up until recently it used Java, but still available is Flash and html. The html side is from Chrome, but the engine isn't upgraded as often as chrome is. This means that flash based and html based browser attacks can be modified to attack Team Fortress 2.

I don't think EA is to blame for this one. It's a (fixed) Windows bug that happens to be exploitable through an EA game. I don't think anyone can hold them accountable for not being aware of undocumented behavior, although they should probably patch it on their side now that it's been brought to their attention.

TF2's Message of the Day can similarly be used to take over computers. Up until recently it used Java, but still available is Flash and html. The html side is from Chrome, but the engine isn't upgraded as often as chrome is. This means that flash based and html based browser attacks can be modified to attack Team Fortress 2.

People should blame Microsoft rather than Electronic Arts for this one. It's a Windows bug that happens to be exploitable through an EA game. I don't think anyone can hold EA accountable for not being aware of undocumented behavior, although they should probably patch it on their side now that it's been brought to their attention.

Microsoft already fixed it, its called Windows Vista, Windows 7 and Windows 8. Notice it only works in a product released 11 and 10 years ago. We all know Windows was never the most secure OS, but they have been improving it and improving it year after year, release after release. If users decide to forgo the upgrading, its not Microsoft's fault.

Microsoft already fixed it, its called Windows Vista, Windows 7 and Windows 8. Notice it only works in a product released 11 and 10 years ago. We all know Windows was never the most secure OS, but they have been improving it and improving it year after year, release after release. If users decide to forgo the upgrading, its not Microsoft's fault.

TF2's Message of the Day can similarly be used to take over computers. Up until recently it used Java, but still available is Flash and html. The html side is from Chrome, but the engine isn't upgraded as often as chrome is. This means that flash based and html based browser attacks can be modified to attack Team Fortress 2.

Settings > Multiplayer > Advanced > Disable HTML MOTD

Also useful for servers with annoying audio in their MOTD.

Exactly. I did it years ago, not because I was concerned about security, but the MOTDs were annoying.

TF2's Message of the Day can similarly be used to take over computers. Up until recently it used Java, but still available is Flash and html. The html side is from Chrome, but the engine isn't upgraded as often as chrome is. This means that flash based and html based browser attacks can be modified to attack Team Fortress 2.

Settings > Multiplayer > Advanced > Disable HTML MOTD

Also useful for servers with annoying audio in their MOTD.

Exactly. I did it years ago, not because I was concerned about security, but the MOTDs were annoying.

It's a good idea and I do it too... BUT there are many servers that will disconnect you specifically because you have html turned offAND most players do not turn it off

TF2's Message of the Day can similarly be used to take over computers. Up until recently it used Java, but still available is Flash and html. The html side is from Chrome, but the engine isn't upgraded as often as chrome is. This means that flash based and html based browser attacks can be modified to attack Team Fortress 2.

Settings > Multiplayer > Advanced > Disable HTML MOTD

Also useful for servers with annoying audio in their MOTD.

Exactly. I did it years ago, not because I was concerned about security, but the MOTDs were annoying.

It's a good idea and I do it too... BUT there are many servers that will disconnect you specifically because you have html turned offAND most players do not turn it off